A Theory on Information Security
Total Page:16
File Type:pdf, Size:1020Kb
Australasian Conference on Information Systems Horne et al. 2016, Wollongong, Australia A Theory on Information Security A Theory on Information Security Craig A. Horne Department of Computing and Information Systems The University of Melbourne Victoria, Australia Email: [email protected] Atif Ahmad Department of Computing and Information Systems The University of Melbourne Victoria, Australia Email: [email protected] Sean B. Maynard Department of Computing and Information Systems The University of Melbourne Victoria, Australia Email: [email protected] Abstract This paper proposes a theory on information security. We argue that information security is imperfectly understood and aim to bring about an altered understanding of why efforts are made to engage in information security. The goal of information security is widely recognised as the confidentiality, integrity and availability of information however we argue that the goal is actually to simply create resources. This paper responds to calls for more theory in information systems, places the discussion in philosophical context and compares various definitions. It then identifies the key concepts of information security, describes the relationships between these concepts, as well as scope and causal explanations. The paper provides the theoretical base for understanding why information is protected, in addition to theoretical and practical implications and suggestions for future research. Keywords Information security, resources, controls, threats, theory development. 1 Australasian Conference on Information Systems Horne et al. 2016, Wollongong, Australia A Theory on Information Security 1 INTRODUCTION Despite the concept of information security being very well established, the reasons and motivations behind it are imperfectly understood. This paper seeks to explain how and why the phenomena that comprise the concepts of information security occur. The emphasis for this paper is to explain the information security concepts and relationships between them in order to alter our understanding of why we protect information. This proposed theory on information security simply states that the motivation behind all attempts by an organisation to secure information against threats is to create resources that can later improve organisational performance. Information will degrade over time without adequate controls implemented for its protection. In terms of the taxonomy of information systems theories presented by Gregor (2006), this manuscript provides a (Type 2) high-level theory for explanation, describing how and why the phenomenon of information security occurs. The theory on information security originates from the area of information systems, built entirely from concepts that relate to information and the breadth of systems that it can reside on. It applies to different levels, including strategies to protect information used by individuals, groups, organisations and also protects information shared between organisations. The results are that, depending on the information affected, degradation over time may reduce the usefulness of the resource and thus lead to the potential erosion of competitive advantage or organisational success. The paper proceeds in three major sections, with the major headings and sections structure adapted from Rivard (2014). In the next section, we introduce information security, discuss why a theory on information security is needed and carefully examine issues with existing theory. Secondly, we explain the theory on information security. Thirdly, we examine the implications for the development of this theory. Finally, we briefly draw conclusions, consider limitations and offer proposals for future research to improve our theoretical understanding of information security. 2 WHAT IS INFORMATION SECURITY? The following section begins with a narrative describing why a new theory on information security is needed. This description of what motivates the study is based on an exploration of the theoretical issues in relevant literature. The result is a set of conditions that this new theoretical development then meets. 2.1 Motivating the Study This paper is broadly motivated by calls for ‘good theory’ within the domain of information systems (Webster and Watson 2002; Zmud 1998; Zmud et al. 2001). The current paucity of good quality theories in the information systems domain leads to calls for development of our ‘own’ theory (Markus and Saunders 2007; Weber 2003; Weber 2012). Importantly, there have been calls for bolder and more original information systems explanatory theory (Grover et al. 2008). The development of new ideas and theories is scarce yet essential (Markus and Saunders 2007; Rivard 2014). Therefore, to begin with, as Weber (2003, pp. iii) states, “choosing the phenomena we wish to explain or predict—is the most important decision we make as a researcher”. More specifically, this paper is motivated by an apparent gap in the literature where a theory on information security is not apparent. A search of the academic literature, as described in the next section, does not reveal any literature that purports to offer a theory on information security. This search of overlooked areas is a form of neglect-spotting (Sandberg and Alvesson 2011). Stronger theory can be produced from linking theories of diverse types and academics have been urged to consider combining other types of theory with their own (Gregor 2006). Towards that, using this theory on information security as one that underpins a theoretical perspective on information security strategy in organisations could prove useful (Horne et al. 2015). There are theories that relate to information security. For example, the Theory of Information Warfare presents a model of information warfare in terms of four main elements: information resources, players, offensive operations, and defensive operations (Denning 1999). The Theory of Protection Motivation predicts users’ intentions to protect themselves after receiving fear-arousing recommendations (Rogers 1975). There are no theories however where the locus of knowledge is in information security alone. 2 Australasian Conference on Information Systems Horne et al. 2016, Wollongong, Australia A Theory on Information Security This gap however is not because information security is uninteresting. Almost every organisation requires information to function and disruption to information from a security breach can often lead to disruption of an organisation’s operations (Cavusoglu et al. 2004). Therefore filling this gap will make a valuable contribution to the body of knowledge. 2.2 Relevant Literature A thematic study of the information systems literature is presented, in order to develop a perspective on information security and its interactions. The contextual setting is described before information security itself is examined. With this understanding, a theory on information security can then be posited based on commonly-accepted philosophy. 2.2.1 Context The theories or knowledge within any discipline are explained based on questions grouped within four classes which, in descending order, are 1. domain, 2. ontology, 3. epistemology and 4. socio-political (Gregor 2006). This section explores the information security concept within the context of these four classes of questions. Domain of Information Systems Information systems has been defined as a collective term that refers to a number of areas of application, including enterprise integration, natural language translation, geographic information systems, legal information systems, and biological information systems (Guarino 1998). Separately, a core set of phenomena that defines the information systems field has been defined as including information technology (IT) capabilities, the IT artefact, IT practices, usage and impact (Benbasat and Zmud 2003). At the broadest level, the domain of information systems has been defined and explained as a system composed of people and computers that processes or interprets information, which is the view adopted throughout the rest of this paper (D'Atri et al. 2008). Ontological Approach Theory is understood within information systems as being broad in nature, to encompass frameworks, models, or the body of knowledge (Gregor 2006). The ontological character of theory types has been articulated as having five categorisations: analysis, explanation, prediction, explanation and prediction, and design and action (Gregor 2006). These categorisations provide researchers with a language to describe the various components of theory. Epistemological Approach To explore how theory can be constructed and what research methods can be used, we note that discussion in this area often contrasts the positivist and interpretivist views, or the quantitative and qualitative views (Gregor 2006). As explained later in Section 3.2 - Theory Type, the type of theory expounded in this paper is explanatory in nature, and theories of this nature are often associated with research in the interpretivist paradigm (Gregor 2006). Socio-political Approach Exploring where theory has been developed to date, we find that there have been a surprisingly low number of theories, (i.e. fewer than half a dozen) that, when developed, originated solely from the area of information systems (Markus and Saunders 2007). Other theories have originating areas that include both information systems and a reference discipline, whilst the remainder originate solely from another discipline